b"              Audit Report\n\n\n\nThe Social Security Administration\xe2\x80\x99s\n    Compliance with the Federal\n Information Security Management\n  Act of 2002 for Fiscal Year 2013\n\n\n\n\n      A-14-13-13086 | November 2013\n\x0cMEMORANDUM\n\n\nDate:      November 26, 2013                                                 Refer To:\n\nTo:        The Commissioner\nFrom:      Inspector General\nSubject:   The Social Security Administration\xe2\x80\x99s Compliance with the Federal Information Security\n           Management Act of 2002 for Fiscal Year 2013 (A-14-13-13086)\n\n           The attached final report summarizes Grant Thornton, LLP\xe2\x80\x99s, (Grant Thornton) Fiscal Year (FY)\n           2013 audit of the Social Security Administration\xe2\x80\x99s (SSA) information security program and\n           practices, as required by Title III of the E-Government Act of 2002, Public Law Number 107-\n           347. Title III is also known as the Federal Information Security Management Act of 2002\n           (FISMA).\n\n           FISMA requires that we, or an independent external auditor, as determined by the Inspector\n           General (IG), perform an annual evaluation that includes\n\n           \xe2\x80\xa2   testing the effectiveness of SSA\xe2\x80\x99s information security policies, procedures, and practices of\n               a representative subset of the agency\xe2\x80\x99s information systems and\n\n           \xe2\x80\xa2   assessing compliance with FISMA requirements, and related information security policies,\n               procedures, standards, and guidelines.\n\n           Under a contract we monitored, Grant Thornton, an independent certified public accounting firm,\n           audited SSA\xe2\x80\x99s compliance with FISMA for FY 2013. Grant Thornton\xe2\x80\x99s report, along with its\n           responses to the FY 2013 IG FISMA reporting metrics developed by the Department of\n           Homeland Security (DHS), are submitted through CyberScope pursuant to Office of\n           Management and Budget (OMB) Memorandum M-14-04, Fiscal Year 2013 Reporting\n           Instructions for the Federal Information Security Management Act and Agency Privacy\n           Management.\n\n           Objective, Scope, and Methodology\n           The objective of Grant Thornton\xe2\x80\x99s audit was to determine whether SSA\xe2\x80\x99s overall information\n           security program and practices were effective and consistent with the FISMA requirements, as\n           defined by DHS. In addition to FISMA and DHS\xe2\x80\x99 guidance, Grant Thornton tested SSA\xe2\x80\x99s\n           overall information security program and practices using guidance from OMB and the National\n           Institute of Standards and Technology, as well as SSA policy.\n\n           Grant Thornton conducted its performance audit in accordance with generally accepted\n           government auditing standards. Those standards require that Grant Thornton plan and perform\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\nthe audit to obtain sufficient, appropriate evidence to provide a reasonable basis for its findings\nand conclusions based on the audit objectives.\n\nAudit Results\nFor FY 2013, Grant Thornton determined that SSA had established an overall information\nsecurity program and practices that were generally consistent with FISMA requirements.\nHowever, weaknesses identified limited the overall program\xe2\x80\x99s effectiveness in adequately\nprotecting the Agency\xe2\x80\x99s information and information systems. Grant Thornton concluded that\neach of the metrics was generally consistent with FISMA requirements, OMB guidance, and\napplicable National Institute of Standards and Technology standards; however, Grant Thornton\nidentified weaknesses in the following metrics:\n\n\nContinuous           Configuration        Identity and         Incident            Risk\nMonitoring           Management           Access               Response and        Management\nManagement                                Management           Reporting\n\n\nSecurity Training    Plan of Action &     Remote Access        Contingency         Contractor\n                     Milestones           Management           Planning            Systems\n                                                                                   Oversight\n\n\nWeaknesses in Sections 2, Configuration Management and 3, Identity and Access Management,\nresulted in negative conclusions to components of these metrics. For FY 2013, Grant Thornton\nconcluded that the risk and severity of SSA\xe2\x80\x99s information security weaknesses were great\nenough to constitute a significant deficiency under FISMA.\n\nOIG Evaluation of Grant Thornton\xe2\x80\x99s Audit Performance\nTo fulfill our responsibilities under the Inspector General Act of 1978, we monitored Grant\nThornton\xe2\x80\x99s audit of SSA's FY 2013 compliance with FISMA by\n\n\xe2\x80\xa2   reviewing Grant Thornton\xe2\x80\x99s audit approach and planning;\n\xe2\x80\xa2   evaluating its auditors qualifications and independence;\n\xe2\x80\xa2   monitoring the audit progress;\n\xe2\x80\xa2   examining Grant Thornton\xe2\x80\x99s work papers;\n\xe2\x80\xa2   reviewing Grant Thornton\xe2\x80\x99s audit report to ensure compliance with Government Auditing\n    Standards;\n\xe2\x80\xa2   coordinating the issuance of the audit report; and\n\xe2\x80\xa2   performing other procedures as deemed necessary.\n\x0cPage 3 \xe2\x80\x93 The Commissioner\n\nGrant Thornton is responsible for the attached auditor\xe2\x80\x99s report and the work and conclusions\nexpressed therein. The OIG is responsible for technical and administrative oversight regarding\nGrant Thornton\xe2\x80\x99s performance under the terms of the contract. Our monitoring review, as\ndescribed above, disclosed no instances where Grant Thornton did not comply with applicable\nauditing standards.\n\nIf you wish to discuss the final report, please call me or have your staff contact\nSteven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.\n\n\n\n\n                                                Patrick P. O\xe2\x80\x99Carroll, Jr.\n\nAttachment\n\x0cMEMORANDUM\n\n\nDate:      November 26, 2013\nTo:        SSA Office of the Inspector General\nFrom:      Grant Thornton, LLP\nSubject:   The Social Security Administration\xe2\x80\x99s Compliance with the Federal Information Security\n           Management Act of 2002 for Fiscal Year 2013 (A-14-13-13086)\n\n           In conjunction with the audit of the Social Security Administration\xe2\x80\x99s (SSA) Fiscal Year (FY)\n           2013 Financial Statements, the Office of the Inspector General engaged us to conduct the\n           performance audit on SSA\xe2\x80\x99s compliance with Federal Information Security Management Act of\n           2002 (FISMA) for FY 2013. The objective was to determine whether SSA\xe2\x80\x99s overall information\n           security program and practices were effective and consistent with the requirements of the\n           FISMA as defined by the Department of Homeland Security. We are pleased to report the\n           results of our audit and appreciate the support provided to us in completing this review.\n\n           Our report is intended solely for the information and use of management at SSA, SSA\xe2\x80\x99s Office\n           of the Inspector General, the Office of Management and Budget, the Government Accountability\n           Office, and Congress and is not intended to be and should not be used by anyone other than these\n           specified parties.\n\n\n\n\n                                                         Alexandria, Virginia\n                                                         November 26, 2013\n\x0cThe Social Security Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act of 2002 for\nFiscal Year 2013\nNovember 2013                                                                                        Report Summary\n\n Objective                                      Our Findings\n\n Our objective was to determine                 We determined that SSA had established an overall information\n whether the Social Security                    security program and practices that were generally consistent with\n Administration\xe2\x80\x99s (SSA) overall                 FISMA requirements. However, weaknesses in some of the\n information security program and               program\xe2\x80\x99s components limited the overall program\xe2\x80\x99s effectiveness\n practices were effective and consistent        to adequately protect the Agency\xe2\x80\x99s information and information\n with the requirements of the Federal           systems. We concluded that these weaknesses constituted a\n Information Security Management Act            significant deficiency under FISMA.\n of 2002 (FISMA), as defined by the\n Department of Homeland Security                Our Recommendations\n (DHS).\n                                                \xe2\x80\xa2   Formally document comprehensive policies and procedures\n Background                                         related to (1) threat identification and vulnerability management\n                                                    and (2) application and system software change management\n SSA\xe2\x80\x99s Office of the Inspector General              that address issues noted during the audit.\n (OIG) engaged us, Grant Thornton\n LLP (Grant Thornton), to conduct the           \xe2\x80\xa2   Develop a comprehensive program to identify and monitor\n Fiscal Year 2013 FISMA performance                 high-risk programs operating on the mainframe.\n audit in accordance with Government\n Auditing Standards commonly referred           \xe2\x80\xa2   Analyze current access authorization and removal processes to\n to as the \xe2\x80\x9cYellow Book\xe2\x80\x9d which sets                 determine whether current controls mitigate the risk of\n forth generally accepted government                unauthorized access and modify controls considering\n auditing standards. We assessed the                automation and monitoring.\n effectiveness of SSA\xe2\x80\x99s information\n security policies, procedures, and             \xe2\x80\xa2   Continue, as part of the SSA profile quality program, additional\n practices on a representative subset of            profile content reviews and other key profile improvement\n the Agency\xe2\x80\x99s information systems by                initiatives.\n leveraging work performed as part of\n the financial statement audit and              \xe2\x80\xa2   Address weaknesses identified within the comments of\n through performance of additional                  Appendix B by implementing our recommendations provided\n testing procedures as needed. We                   throughout the audit in our Notices of Finding and\n determined whether SSA\xe2\x80\x99s overall                   Recommendation.\n information security program and\n practices were effective and consistent\n with the requirements of FISMA and\n other applicable regulations, standards,\n and guidance applicable during the\n audit period.\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013\n\x0cTABLE OF CONTENTS\nObjective ..........................................................................................................................................1\nBackground ......................................................................................................................................1\nScope and Methodology ..................................................................................................................1\nResults of Review ............................................................................................................................2\n     Agency Efforts to Resolve Weaknesses and Potential Cause for the FY 2013 FISMA\n     Significant Deficiency ...............................................................................................................7\nConclusions and Recommendations ................................................................................................7\nViews of Responsible Officials .......................................................................................................8\nAppendix A \xe2\x80\x93 Scope and Methodology ..................................................................................... A-1\nAppendix B \xe2\x80\x93 Response to Fiscal Year 2013 Inspector General Federal Information Security\n           Management Act Reporting Metrics ...................................................................... B-1\nAppendix C \xe2\x80\x93 The Social Security Administration\xe2\x80\x99s General Support Systems and Major\n           Applications ........................................................................................................... C-1\nAppendix D \xe2\x80\x93 Metrics Defined .................................................................................................. D-1\nAppendix E \xe2\x80\x93 Major Contributors...............................................................................................E-1\n\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013\n\x0cABBREVIATIONS\nDHS                  Department of Homeland Security\n\nFIPS                 Federal Information Processing Standards Publication\n\nFISCAM               Federal Information System Controls Audit Manual\n\nFISMA                Federal Information Security Management Act of 2002\n\nFSA                  Financial Statement Audit\n\nFY                   Fiscal Year\n\nGAGAS                Generally Accepted Government Auditing Standards\n\nGAS                  Government Auditing Standards\n\nGrant Thornton       Grant Thornton LLP\n\nIG                   Inspector General\n\nIT                   Information Technology\n\nNFR                  Notice of Finding and Recommendation\n\nNIST                 National Institute of Standards and Technology\n\nOMB                  Office of Management and Budget\n\nOIG                  Office of the Inspector General\n\nPII                  Personally Identifiable Information\n\nPub. L. No.          Public Law Number\n\nSSA                  Social Security Administration\n\nU.S.C.               United States Code\n\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013\n\x0cOBJECTIVE\nOur objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA) overall\ninformation security program and practices were effective and consistent with the requirements\nof the Federal Information Security Management Act of 2002 (FISMA) as defined by the\nDepartment of Homeland Security (DHS).\n\nTo achieve this objective, we assessed the effectiveness of SSA\xe2\x80\x99s information security policies,\nprocedures, and practices on a representative subset of the Agency\xe2\x80\x99s information systems. We\nthen determined whether SSA\xe2\x80\x99s overall information security program and practices were\neffective and consistent with the requirements of FISMA and other regulations, standards, and\nguidance applicable during the audit period.\n\nBACKGROUND\nIn conjunction with the audit of SSA\xe2\x80\x99s Fiscal Year (FY) 2013 Financial Statements, 1 SSA\xe2\x80\x99s\nOffice of the Inspector General (OIG) engaged us, Grant Thornton LLP (Grant Thornton), to\nconduct the FY 2013 FISMA performance audit. FISMA, Title III of the E-Government Act of\n2002 (Pub. L. No. 107-347, December 17, 2002), includes the following key requirements:\n\n\xe2\x80\xa2      Each agency must develop, document, and implement an agency-wide information security\n       program. 2\n\n\xe2\x80\xa2      Each agency head is responsible for providing information security protections\n       commensurate with the risk and magnitude of the harm resulting from the unauthorized\n       access, use, disclosure, disruption, modification, or destruction of agency information and\n       information systems. 3\n\n\xe2\x80\xa2      The agency\xe2\x80\x99s Inspector General (IG), or an independent external auditor, must perform an\n       independent evaluation of the agency\xe2\x80\x99s information security program and practices to\n       determine their effectiveness. 4\n\nSCOPE AND METHODOLOGY\nOn November 30, 2012, DHS issued reporting metrics for the IG\xe2\x80\x99s FY 2013 FISMA submission.\nWe audited the following 11 reporting metrics as part of our review:\n\n\n\n\n1\n    Office of the Inspector General Contract Number GS-23F-8196H, December 3, 2009.\n2\n    Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(b); 44 U.S.C. \xc2\xa7 3544(b).\n3\n    Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(a)(1)(A); 44 U.S.C. \xc2\xa7 3544(a)(1)(A).\n4\n    Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7\xc2\xa7 3545(a)(1) and (b)(1); 44 U.S.C. \xc2\xa7\xc2\xa7 3545(a)(1) and (b)(1).\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013              1\n\x0c                        FY 2013 Inspector General FISMA Reporting Metrics\n\n                    \xe2\x80\xa2 Continuous Monitoring Management\n                    \xe2\x80\xa2 Configuration Management\n                    \xe2\x80\xa2 Identity and Access Management\n                    \xe2\x80\xa2 Incident Response and Reporting\n                    \xe2\x80\xa2 Risk Management\n                    \xe2\x80\xa2 Security Training\n                    \xe2\x80\xa2 Plan of Action & Milestones (POA&M)\n                    \xe2\x80\xa2 Remote Access Management\n                    \xe2\x80\xa2 Contingency Planning\n                    \xe2\x80\xa2 Contractor Systems\n                    \xe2\x80\xa2 Security Capital Planning\n\nThe FY 2013 SSA FISMA performance audit was performed in accordance with Government\nAuditing Standards (GAS), issued by the Comptroller General of the United States, also known\nas the \xe2\x80\x9cYellow Book\xe2\x80\x9d which sets forth generally accepted government auditing standards\n(GAGAS). We followed the Federal Information System Controls Audit Manual (FISCAM),\nwhich provides guidance for evaluating Electronic Data Processing general, and application\ncontrols in a Federal audit under GAGAS. In accordance with standards contained in GAS\nissued by the Comptroller General of the United States, we leveraged work performed as part of\nthe FY 2013 Financial Statement Audit (FSA) and performed additional procedures as required\nto assess the reporting metrics listed above.\n\nThis report informs Congress and the public about SSA\xe2\x80\x99s security performance and fulfills the\nOffice of Management and Budget (OMB) and DHS requirements under FISMA to submit an\nannual report to Congress. Refer to Appendix A for additional information on our scope and\nmethodology.\n\nRESULTS OF REVIEW\nFor FY 2013, we determined that SSA had established an overall information security program\nand practices that were generally consistent with FISMA requirements. 5 However, weaknesses\nidentified limited the overall program\xe2\x80\x99s effectiveness to adequately protect the Agency\xe2\x80\x99s\ninformation and information systems. We concluded that each of the metrics was generally\n\n\n5\n Our conclusion was based on our assessment of SSA\xe2\x80\x99s compliance with DHS\xe2\x80\x99 FY 2013 Inspector General Federal\nInformation Security Management Act Reporting Metrics. As indicated in Appendix B, we determined that SSA\nestablished all 11 security program components, which were generally consistent with Federal guidance. The 11\ncomponents established by SSA included the vast majority of attributes identified by DHS. However, we also noted\nvarious issues in our assessment that are documented in the comments within Appendix B.\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013             2\n\x0cconsistent with FISMA requirements, OMB guidance, and applicable National Institute of\nStandards and Technology (NIST) standards; however, we identified weaknesses in the\nfollowing metrics:\n\n\nContinuous            Configuration         Identity and          Incident             Risk\nMonitoring            Management            Access                Response and         Management\nManagement                                  Management            Reporting\n\n\nSecurity Training     POA&M                 Remote Access         Contingency          Contractor\n                                            Management            Planning             Systems\n                                                                                       Oversight\n\n\nRefer to Appendix D for additional information on metrics.\n\nWeaknesses in Section 2, Configuration Management and Section 3, Identity and Access\nManagement, resulted in negative conclusions to the following metrics:\n\nConfiguration Management\n\xe2\x80\xa2   2.1.4 \xe2\x80\x93 Process for timely (as specified in organization policy or standards) remediation of\n    scan result deviations.\n\n\xe2\x80\xa2   2.1.5 - For Windows-based components, United States Government Configuration Baselines\n    (USGCB) secure configuration settings are fully implemented, and any deviations from\n    USGCB baseline settings are fully documented.\n\n\xe2\x80\xa2   2.1.8 - Software assessing (scanning) capabilities are fully implemented.\n\n\xe2\x80\xa2   2.1.9 - Configuration-related vulnerabilities, including scan findings, have been remediated\n    in a timely manner, as specified in organization policy or standards.\n\nIdentity and Access Management\n\xe2\x80\xa2   3.1.7 \xe2\x80\x93 Ensures that the users are granted access based on needs and separation-of-duties\n    principles.\n\n\xe2\x80\xa2   3.1.10 \xe2\x80\x93 Ensures that accounts are terminated or deactivated once access is no longer\n    required.\n\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   3\n\x0cWe provided comments on these key components of SSA\xe2\x80\x99s information security program to\nManagement throughout the audit. 6 Refer to Appendix B for additional information on these and\nother weaknesses and conclusions.\n\nWe assessed the significance of these weaknesses individually and in the aggregate to determine\nthe risk to SSA\xe2\x80\x99s overall information systems security program and management\xe2\x80\x99s control\nstructure. We noted that while all these findings, in aggregate, impacted risk, the following\nweaknesses had the most significant impact on our conclusion:\n\n\xe2\x80\xa2   Lack of a comprehensive Agency-wide policy and procedures related to vulnerability\n    management, including security vulnerability identification, prioritization, categorization,\n    remediation, tracking, and closure/validation - During internal penetration testing, we were\n    able to take advantage of software vulnerabilities, misconfigurations, and restricted\n    information to assume control of two servers, the Windows domain, as well as, gaining\n    access to the mainframe without detection. This is the third successive year we have gained\n    control of the SSA Windows system without detection. During subsequent assessments of\n    the Agency\xe2\x80\x99s overall vulnerability management process, we noted that a key scanning tool\n    was not being fully used to identify vulnerabilities across SSA\xe2\x80\x99s network, and Agency-wide\n    comprehensive policies and procedures on vulnerability management were not established.\n\n    The Agency corrected the specific software vulnerabilities identified during our penetration\n    testing, developed configuration standards for the software, and began using more\n    capabilities of the scanning tool. However, without a comprehensive process in place,\n    security threats may not be appropriately prioritized and remediated.\n\n\xe2\x80\xa2   Lack of comprehensive Agency-wide policy and procedures related to management of\n    application and system software changes, including identification of all critical types of\n    changes, security categorization and risk analysis for changes, testing requirements based on\n    risk, and requirements for the review and approval of testing results \xe2\x80\x93 While our testing\n    demonstrated that change management activities were occurring for application and system\n    software changes, the Agency had not fully documented a comprehensive policy and\n    procedures covering the entirety of the change management processes conducted by the\n    Agency. Our testing noted the following.\n\n            o System Software - An impact/risk assessment to determine the security\n              implications for mainframe changes did not occur. Further, for the majority of\n              changes tested, we noted that developers were responsible for testing their own\n              changes and implementing these changes into production. While management\n              performed a review to validate that updates made were associated with an\n              approved change, there were no requirements nor guidance related to the types of\n              testing to be performed (including security reviews), nor for retention or\n\n\n\n6\n We provided Agency management with a Notice of Finding and Recommendation (NFR) for each individual\nweakness. The NFR included the condition, criteria, cause, effect, and recommendation.\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013     4\n\x0c                  independent review of testing documentation, nor validation that the change made\n                  was limited to the requirements in the approved change ticket.\n\n             o Application Changes - We noted instances where evidence to support testing and\n               other requirements could not be provided.\n\n    These issues increase the risk that changes to applications and supporting system software,\n    which may impact benefit claim processing, payments, or financial data, do not function as\n    intended or introduce security risks.\n\n\xe2\x80\xa2   Lack of controls related to the identification and monitoring of high-risk programs operating\n    on the mainframe 7 - The Agency had not finalized and fully implemented controls associated\n    with ensuring that privileged programs had been approved, could only be modified\n    appropriately, and posed no security risks. Management continues making control\n    enhancements including, but not limited to, identifying privileged programs, the review of\n    privileged programs from a security perspective, access restrictions to all privileged\n    programs, and change/monitoring control enhancements.\n\n    Without appropriate controls, there is an increased risk that the security posture and controls\n    may be bypassed or compromised.\n\n\xe2\x80\xa2   Access control issues - Our testing identified numerous issues with logical access controls\n    that are in place to mitigate the risk of unauthorized access. Our testing identified the\n    following issues:\n\n             o Access Authorization - Our testing identified control failures related to the\n               appropriate completion of authorization forms. Included in these control failures\n               were new hires, transferred employees, and contractors.\n\n             o Access Removal - Our testing identified control failures related to the timely\n               removal of terminated employees\xe2\x80\x99 logical access to the mainframe, network, and\n               other supporting systems. Included in these control failures were instances of\n               SSA and State Disability Determination Services employees who retained access\n               after they were terminated. Additionally, SSA did not have an authoritative\n               source to identify and manage all contractors and therefore SSA was unable to\n               supply actual departure dates for contractors to substantiate timely removal of\n               access.\n\n\n\n\n7\n  International Business Machines Corp. defines a mainframe as computers that can support thousands of\napplications and input/output devices to simultaneously serve thousands of users. A mainframe is the central data\nrepository, or hub, in a corporation's data processing center, linked to users through less powerful devices such as\nworkstations or terminals.\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013                     5\n\x0c             o Profile 8 Content and Analysis Review Program and Supporting Profile Controls -\n               SSA Management continues to make progress in assessing profile content to\n               validate that profiles only provide access to the minimal resources required for\n               users to complete job functions. However, SSA had not completed the review of\n               all profiles that are relevant to critical applications and supporting systems nor had\n               SSA completed other profile quality initiatives including, but not limited to, some\n               control enhancements.\n\n        As a result of these deficiencies, we noted numerous issues of unauthorized and\n        inappropriate access including application developers (programmers) with unmonitored\n        access to production data and application transactions, access to key transactions and\n        data, key change management libraries, and other sensitive system software resources.\n\nFor FY 2013, we concluded that the risk and severity of SSA\xe2\x80\x99s information security weaknesses,\nincluding those highlighted above and other weaknesses outlined in Appendix B, were great\nenough to constitute a significant deficiency under FISMA. These weaknesses could result in\nlosses of confidentiality, integrity, and availability of SSA information systems and data. 9\n\nOMB defines a FISMA significant deficiency as, \xe2\x80\x9c. . . a weakness in an agency\xe2\x80\x99s overall\ninformation systems security program or management control structure, or within one or more\ninformation systems, that significantly restricts the capability of the agency to carry out its\nmission or compromises the security of its information, information systems, personnel, or other\nresources, operations, or assets. In this context, the risk is great enough that the agency head and\noutside agencies must be notified and immediate or near-immediate corrective action must be\ntaken.\xe2\x80\x9d 10\n\nThese security deficiencies, when aggregated, created a weakness in SSA\xe2\x80\x99s overall information\nsystems security program that we concluded significantly compromised the security of its\ninformation and information systems.\n\n\n\n\n8\n  A profile is one of SSA\xe2\x80\x99s primary access control mechanisms. Each profile contains a unique mix of facilities and\ntransactions that determines what access to systems resources a specific position needs.\n9\n  Confidentiality means preserving authorized restrictions on access and disclosure, including means for protecting\npersonal privacy and proprietary information. Integrity means guarding against improper information modification\nor destruction, and includes ensuring information nonrepudiation and authenticity. Availability means ensuring\ntimely and reliable access to and use of information. Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3542(b)(1)(A) to\n(C), 44 U.S.C. \xc2\xa7 3542(b)(1)(A) to (C).\n10\n  OMB, M-14-04, FY 2013 Reporting Instructions for the Federal Information Security Management Act and\nAgency Privacy Management, November 18, 2013, page 8.\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013                 6\n\x0cAgency Efforts to Resolve Weaknesses and Potential Cause for the\nFY 2013 FISMA Significant Deficiency\nIn response to the FY 2012 material weakness in information systems controls reported within\nthe internal controls opinion 11 and FY 2012 FISMA significant deficiency, 12 SSA developed\nfunctional remediation teams to investigate issues, identify root causes, and implement corrective\nactions. Each functional remediation team, with oversight from SSA leadership, took risk-based\napproaches to remediation\xe2\x80\x94addressing higher risk areas immediately, and planning for future\nsecurity enhancements. Management\xe2\x80\x99s risk based approach included correction of\nvulnerabilities identified through our specific tests as well as development and implementation of\ninstitutionalized and repeatable processes to prevent future weaknesses.\n\nWhile SSA made significant efforts to strengthen controls over its systems and address\nweaknesses, our FY 2013 testing continued to identify general control issues in both design and\noperation of key controls. We believe that in many cases these deficiencies continue to exist\nbecause of one or a combination of the following:\n\n\xe2\x80\xa2    Control enhancements and newly designed controls require additional time to effectuate\n     throughout the environment;\n\n\xe2\x80\xa2    By focusing resources on higher risk weaknesses, SSA was unable to implement corrective\n     action for all aspects of the prior year issues; and/or,\n\n\xe2\x80\xa2    The design and/or operational effectiveness of enhanced or newly designed controls did not\n     completely address risks.\n\nSSA continues to implement corrective actions to address remaining deficiencies, which in many\ncases, is a continuation of previously established risk based strategies.\n\nCONCLUSIONS AND RECOMMENDATIONS\nFor FY 2013, we determined that SSA had established an overall information security program\nand practices that were generally consistent with FISMA requirements. However, weaknesses in\nsome of the program\xe2\x80\x99s components limited the overall program\xe2\x80\x99s effectiveness to adequately\nprotect the Agency\xe2\x80\x99s information and information systems. We noted weaknesses within\nSection 2, Configuration Management, and Section 3, Identity and Access Management, that\nresulted in negative answers to metrics and various other issues that resulted in comments to the\nFISMA metrics located in Appendix B. Based on these factors, we concluded that these\nweaknesses constituted a significant deficiency under FISMA.\n\n\n11\n  Grant Thornton, Independent Auditor\xe2\x80\x99s Report on the audit of SSA\xe2\x80\x99s FY 2012 financial statements, November 8,\n2012.\n12\n  SSA OIG, The Social Security Administration\xe2\x80\x99s Compliance with the Federal Information Security Management\nAct of 2002 for the Fiscal year 2012, (A-14-12-12120), November 15, 2012.\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013               7\n\x0cSSA needs to protect its mission-critical assets. Without appropriate security, the Agency\xe2\x80\x99s\nsystems and the sensitive data they contain are at risk. Some weaknesses identified in this report\ncould cause the Agency\xe2\x80\x99s systems and data to lose confidentiality, integrity, and availability to\nsome degree.\n\nTo mitigate the risks of the issues noted in the significant deficiency, management should\nconsider the following:\n\n\xe2\x80\xa2    Formally document comprehensive policies and procedures related to (1) threat identification\n     and vulnerability management and (2) application and system software change management\n     that address issues noted during the audit.\n\n\xe2\x80\xa2    Develop a comprehensive program to identify and monitor high-risk programs operating on\n     the mainframe.\n\n\xe2\x80\xa2    Analyze current access authorization and removal processes to determine whether current\n     controls mitigate the risk of unauthorized access and modify controls considering automation\n     and monitoring.\n\n\xe2\x80\xa2    Continue, as part of the SSA profile quality program, additional profile content reviews and\n     other key profile improvement initiatives.\n\n\xe2\x80\xa2    Address weaknesses identified within the comments of Appendix B by implementing our\n     recommendations provided throughout the audit in our Notices of Finding and\n     Recommendation.\n\nVIEWS OF RESPONSIBLE OFFICIALS\nOur conclusions were discussed with SSA responsible officials who generally agreed with our\nfindings and recommendations. SSA\xe2\x80\x99s official responses will be included in their comments to\nthe independent auditor\xe2\x80\x99s report on the audit of SSA\xe2\x80\x99s FY 2013 financial statements. 13\n\n\n\n\n13\n Grant Thornton, Independent Auditor\xe2\x80\x99s Report on SSA\xe2\x80\x99s FY 2013 financial statements will be released in\nDecember 2013.\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013        8\n\x0c                                       APPENDICES\n\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013\n\x0cAppendix A \xe2\x80\x93 SCOPE AND METHODOLOGY\nThe Federal Information Security Management Act of 2002 (FISMA) directs each agency\xe2\x80\x99s\nInspector General (IG) to perform, or have an independent external auditor perform, an annual\nindependent evaluation of the agency\xe2\x80\x99s information security programs and practices, as well as a\nreview of an appropriate subset of agency systems. 1 The Social Security Administration\xe2\x80\x99s (SSA)\nIG contracted with us, Grant Thornton LLP (Grant Thornton), to audit the SSA\xe2\x80\x99s Fiscal Year\n(FY) 2013 financial statements. 2 Because of the extensive internal control system work that is\ncompleted as part of that audit, the FISMA review requirements were incorporated into our\nfinancial statement audit (FSA) contract. To maximize efficiencies and minimize the impact to\nSSA management during the FISMA performance audit, we used Appendix IX \xe2\x80\x93 Application of\nFISCAM to FISMA from the GAO Federal Information System Controls Audit Manual\n(FISCAM) in order to leverage testing performed during the SSA FSA. Additionally, governed\nby the 2011 Government Audit Standards Chapters 1 through 3, 6, and 7 \xe2\x80\x93 in particular\nChapter 6, Field Work Standards for Performance Audits - Using the Work of Others, we\nleveraged the information technology general controls testing performed during the FSA\nwherever it was deemed appropriate. In some cases, FISMA tests were unique from those of the\nFSA; therefore, we designed test procedures to deliver adequate coverage over those unique\nareas.\n\nTesting was performed in accordance with specific criteria as promulgated by the following:\n\n\xe2\x80\xa2     FISMA law;\n\n\xe2\x80\xa2     Office of Management and Budget (OMB) guidance;\n\n\xe2\x80\xa2     Department of Homeland Security (DHS) annual FISMA reporting instructions and annual\n      FISMA IG reporting metrics, OMB Circular A-130, Management of Federal Information\n      Resources, Appendix III, Security of Federal Automated Information Resources;\n\n\xe2\x80\xa2     Standards and guidelines issued by the National Institute of Standards and Technology\n      (NIST) \xe2\x80\x93 including, NIST Special Publication (SP) 800-53 Revision 3 Recommended\n      Security Controls for Federal Information Systems and Organizations;\n\n\xe2\x80\xa2     Federal Information Processing Standards Publication (FIPS) - 199, Standards for Security\n      Categorization of Federal Information and Information Systems, FIPS-200 Minimum\n      Security Requirements for Federal Information and Information Systems, FIPS- 201-1,\n      Personal Identity Verification (PIV) of Federal Employees and Contractors;\n\n\n\n\n1\n  Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7\xc2\xa7 3545(a)(1), (a)(2)(A), (a)(2)(B); and (b)(1), 44 U.S.C. \xc2\xa7\xc2\xa7 3545(a)(1)\n(a)(2)(A), (a)(2)(B); and (b)(1).\n2\n    Office of the Inspector General Contract Number GS-23F-8196H, December 3, 2009.\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013                A-1\n\x0c\xe2\x80\xa2   Federal Information Security Memorandum 13-01, FY 2013 Metrics for the Federal\n    Information Security Management Act and Agency Privacy Management Act and\n    Operational Reporting Instructions;\n\n\xe2\x80\xa2   Federal guidance and standards cited in the DHS annual FISMA IG reporting metrics; and,\n\n\xe2\x80\xa2   Local SSA policies.\n\nOur assessment followed the DHS FY 2013 FISMA guidance 3 and focused on Risk\nManagement, Configuration Management, Incident Response and Reporting, Security Training,\nPlan of Action and Milestones, Remote Access Management, Identity and Access Management,\nContinuous Monitoring Management, Contingency Planning, Contractor Systems, and Security\nCapital Planning.\n\nWe conducted this audit in accordance with generally accepted government auditing standards.\nThese standards required that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe the evidence obtained provides a reasonable basis for our findings and\nconclusions based on the audit objectives.\n\n\n\n\n3\n DHS Federal Information Security Memorandum 13-01, FY 2013 Metrics for the Federal Information Security\nManagement Act and Agency Privacy Management Act and Operational Reporting Instructions, September 2013.\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013     A-2\n\x0cAppendix B \xe2\x80\x93 RESPONSE TO FISCAL YEAR 2013 INSPECTOR\n             GENERAL F EDERAL I NFORMATION S ECURITY\n             M ANAGEMENT ACT REPORTING METRICS\n\n Section 1: CONTINUOUS MONITORING MANAGEMENT\n\n\n1.1.    Has the organization established an enterprise-wide continuous monitoring\n        program that assesses the security state of information systems that is consistent\n        with FISMA requirements, OMB policy, and applicable NIST guidelines? Besides\n        the improvement opportunities that may have been identified by the OIG, does the\n        program include the following attributes?\n\n        FY2013 Conclusion: Yes\n\n        1.1.1. Documented policies and procedures for continuous monitoring (NIST SP\n               800-53: CA-7). (AP)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        1.1.2. Documented strategy and plans for continuous monitoring (NIST SP 800-37\n               Rev. 1, Appendix G). (AP)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        1.1.3. Ongoing assessments of security controls (system-specific, hybrid, and\n               common) that have been performed based on the approved continuous\n               monitoring plans (NIST SP 800-53, 800-53A). (AP)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted that the SSA continuous monitoring strategy includes\n                manual control assessments and automated reporting mechanisms. Per the\n                strategy, security controls currently selected for automated continuous monitoring\n                are primarily technical controls that automated support tools can monitor and\n                controls that may change frequently due to architectural or environment\n                modifications such as updates and upgrades to hardware or software\n                configurations. In regards to configuration standards, we noted that SSA made\n                significant progress in developing baselines for authorized platforms in FY 2013;\n                however, had not developed configuration baselines for all authorized platforms.\n                In regards to vulnerability scanning capabilities, we noted the scanning tool used\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-1\n\x0c                by the Security Operations Center was not being utilized to its full capability for\n                part of the fiscal year.\n\n        1.1.4. Provides authorizing officials and other key system officials with security\n               status reports covering updates to security plans and security assessment\n               reports, as well as a common and consistent POA&M program that is\n               updated with the frequency defined in the strategy and/or plans (NIST SP\n               800-53, 800-53A). (AP)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted that SSA continued to enhance automated continuous\n                monitoring reporting capabilities in FY 2013. Per the continuous monitoring\n                strategy, the successful implementation of the SSA continuous monitoring\n                strategy will require a sustained effort contingent upon the availability of funding\n                and support from Agency components.\n\n1.2.    Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\n        Continuous Monitoring Management Program that was not noted in the questions\n        above.\n\n                Comments: N/A\n\n\n Section 2: CONFIGURATION MANAGEMENT\n\n\n2.1.    Has the organization established a security configuration management program\n        that is consistent with FISMA requirements, OMB policy, and applicable NIST\n        guidelines? Besides the improvement opportunities that may have been identified\n        by the OIG, does the program include the following attributes?\n\n        FY2013 Conclusion: Yes\n\n        2.1.1. Documented policies and procedures for configuration management. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted that while compartmentalized policies and procedures\n                existed, SSA lacked a comprehensive Agency-wide policy and procedures related\n                to application and system software change management including identification\n                of all critical types of changes, security categorization and risk analysis for\n                changes, testing requirements based on risk, and requirements for the review and\n                approval of testing results.\n\n        2.1.2. Defined standard baseline configurations. (Base)\n\n                FY2013 Conclusion: Yes\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-2\n\x0c                Comments: We noted that SSA established a list of authorized infrastructure\n                software (platforms), had developed baselines for the majority of key platforms,\n                and made significant progress in developing additional configuration baselines in\n                FY 2013. However, it had not developed configuration baselines for all\n                authorized platforms. Further, requirements associated with approval to deviate\n                from agency security standards or configurations by submitting an exception\n                request for software not on the authorized platform list were not in place during\n                the entire fiscal year.\n\n        2.1.3. Assessments of compliance with baseline configurations. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted the following regarding compliance with baseline\n                configurations:\n                   \xe2\x80\xa2 Lack of configuration baselines for some platforms;\n                   \xe2\x80\xa2 Internal penetration testing identified high risk vulnerabilities due to\n                       unpatched software and misconfigurations, which resulted in testers\n                       obtaining domain administrative rights and access to the mainframe; and,\n                   \xe2\x80\xa2 Assessments of key configurations and access rights on significant\n                       platforms identified issues including misconfigurations.\n\n        2.1.4. Process for timely (as specified in organization policy or standards)\n               remediation of scan result deviations. (Base)\n\n                FY2013 Conclusion: No\n\n                Comments: We noted that SSA had processes in place for remediation of results\n                identified through scanning and internal penetration testing. However, we noted\n                SSA lacked a comprehensive Agency-wide policy and procedures related to\n                vulnerability management including security vulnerability identification,\n                prioritization, categorization, remediation, tracking, and closure / validation.\n                Without appropriate prioritization, higher risk vulnerabilities may not be\n                remediated timely as demonstrated by internal penetration testing results.\n\n        2.1.5. For Windows-based components, USGCB secure configuration settings are\n               fully implemented, and any deviations from USGCB baseline settings are\n               fully documented. (Base)\n\n                FY2013 Conclusion: No\n\n                Comments: We noted that documentation for a significant number of deviations\n                from the USGCB settings did not provide sufficient information pertaining to risk\n                analysis and business justification for the deviation.\n\n        2.1.6. Documented proposed or actual changes to hardware and software\n               configurations. (Base)\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-3\n\x0c                FY2013 Conclusion: Yes\n\n                Comments: We noted that while testing demonstrated that change management\n                activities were occurring for both application and system software changes, the\n                Agency had not fully documented a comprehensive policy and procedures\n                covering the entirety of change management processes conducted by the Agency.\n                In addition, our testing identified system software weaknesses including\n                completion of impact risk assessments, completion of test plans and retention of\n                testing output, independent review of testing as well as validation changes were\n                limited to those identified in the change request. For application changes, we\n                noted instances where evidence to support testing and other requirements could\n                not be provided.\n\n                In addition, the Agency had not finalized and fully implemented controls\n                associated with ensuring that mainframe privileged programs have been approved,\n                can only be modified appropriately, and pose no security risks.\n\n        2.1.7. Process for timely and secure installation of software patches. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted that SSA had established a patch management process;\n                however, issues associated with the ability to identify and remediate\n                vulnerabilities in a timely manner impact the Agency\xe2\x80\x99s ability to prioritize\n                software patches. Without appropriate prioritization, higher risk vulnerabilities\n                may not be remediated timely as demonstrated by internal penetration testing\n                results.\n\n        2.1.8. Software assessing (scanning) capabilities are fully implemented (NIST SP\n               800-53: RA-5, SI-2). (Base)\n\n                FY2013 Conclusion: No\n\n                Comments: We noted the scanning tool used by the Security Operations Center\n                was not being utilized to its full capability for part of the fiscal year.\n\n        2.1.9. Configuration-related vulnerabilities, including scan findings, have been\n               remediated in a timely manner, as specified in organization policy or\n               standards (NIST SP 800-53: CM-4, CM-6, RA-5, SI-2). (Base)\n\n                FY2013 Conclusion: No\n\n                Comments: We noted that SSA had processes in place for remediation of scan\n                results identified through scanning and internal penetration testing. However, we\n                noted SSA lacked a comprehensive Agency-wide policy and procedures related to\n                vulnerability management including security vulnerability identification,\n                prioritization, categorization, remediation, tracking, and closure / validation.\n                Without appropriate prioritization, higher risk vulnerabilities may not be\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-4\n\x0c                remediated timely as demonstrated by internal penetration testing results. In\n                addition, misconfigurations were identified through testing of configurations on\n                key platforms.\n\n        2.1.10. Patch management process is fully developed, as specified in organization\n                policy or standards (NIST SP 800-53: CM-3, SI-2). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted that SSA had established a patch management process;\n                however, issues associated with the ability to identify and remediate\n                vulnerabilities in a timely manner impact the Agency\xe2\x80\x99s ability to prioritize\n                software patches. Without appropriate prioritization, higher risk vulnerabilities\n                may not be remediated timely as demonstrated by internal penetration testing\n                results.\n\n2.2.    Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\n        Configuration Management Program that was not noted in the questions above.\n\n                Comments: N/A\n\n\n Section 3: IDENTITY AND ACCESS MANAGEMENT\n\n\n3.1.    Has the organization established an identity and access management program that\n        is consistent with FISMA requirements, OMB policy, and applicable NIST\n        guidelines and which identifies users and network devices? Besides the\n        improvement opportunities that have been identified by the OIG, does the program\n        include the following attributes?\n\n        FY2013 Conclusion: Yes\n\n        3.1.1. Documented policies and procedures for account and identity management\n        (NIST SP 800-53: AC-1). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        3.1.2. Identifies all users, including Federal employees, contractors, and others who\n               access organization systems (NIST SP 800-53, AC-2). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: Although the Agency was able to identify all users, including\n                contractors, with access to the mainframe and all employees with access to the\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-5\n\x0c                network, SSA did not have an authoritative source / system(s) that identified and\n                managed all contractors.\n\n        3.1.3. Identifies when special access requirements (e.g., multi-factor authentication)\n               are necessary. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted that SSA identified when special access requirements were\n                necessary; however, we also noted that application developers had access to the\n                production environment. These users did not obtain this access through the\n                secondary ID process, which is a highly monitored process whereby programmers\n                gain access to production for a limited time, and activity is subject to review.\n\n        3.1.4. If multi-factor authentication is in use, it is linked to the organization\xe2\x80\x99s PIV\n               program where appropriate (NIST SP 800-53, IA-2). (KFM)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        3.1.5. Organization has planned for implementation of PIV for logical access in\n               accordance with government policies (HSPD 12, FIPS 201, OMB M-05-24,\n               OMB M-07-06, OMB M-08-01, OMB M-11-11). (AP)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        3.1.6. Organization has adequately planned for implementation of PIV for physical\n               access in accordance with government policies (HSPD 12, FIPS 201, OMB\n               M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11).\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        3.1.7. Ensures that the users are granted access based on needs and separation-of-\n               duties principles. (Base)\n\n                FY2013 Conclusion: No\n\n                Comments: We identified numerous issues with logical access controls which\n                resulted in inappropriate and / or unauthorized access including application\n                developers (programmers) with unmonitored access to production and application\n                transactions, access to key transactions and data, key change management\n                libraries, and other sensitive system software resources.\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-6\n\x0c        3.1.8. Identifies devices with IP addresses that are attached to the network and\n               distinguishes these devices from users. (For example: IP phones, faxes,\n               printers are examples of devices attached to the network that are\n               distinguishable from desktops, laptops, or servers that have user accounts.)\n               (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: The OIG Audit Report A-14-13-13050, The Social Security\n                Administration\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware\n                Devices Connected to its Network, noted that while the Agency has a process to\n                identify hardware devices connected to its network, we [the IG] determined the\n                Agency\xe2\x80\x99s inventory was incomplete and inaccurate. Additionally, SSA did not\n                approve all of the hardware devices connected to its network. Moreover, although\n                SSA has processes to monitor the security level of connected devices, they were\n                inconsistent with Agency policy in effect at the time of our [the IG] audit.\n\n        3.1.9. Identifies all user and non-user accounts (Refers to user accounts that are on\n               a system. Data user accounts are created to pull generic information from a\n               database or a guest/anonymous account for generic login purposes. They are\n               not associated with a single user or a specific group of users) (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted that SSA was able to identify user and non-user accounts.\n                However, we noted instances where default account passwords had not been\n                changed, access to a generic account that was not required by a user, a lack of\n                requirements to periodically change passwords for system accounts, and issues\n                associated with the management of vendor accounts.\n\n        3.1.10. Ensures that accounts are terminated or deactivated once access is no longer\n                required. (Base)\n\n                FY2013 Conclusion: No\n\n                Comments: We identified control failures related to the timely removal of logical\n                access for terminated employees to the mainframe, network, and other supporting\n                systems. Included in these control failures were instances of SSA employees and\n                state Disability Determination Services employees. Additionally, SSA did not\n                have an authoritative source that identified and managed all contractors and\n                therefore was unable to support actual departure dates for contractors.\n\n        3.1.11. Identifies and controls use of shared accounts. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted instances where default account passwords had not been\n                changed, access to a generic account that was not required by a user, a lack of\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-7\n\x0c                requirements to periodically change passwords for system accounts, and issues\n                associated with the management of vendor accounts.\n\n3.2.    Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\n        Identity and Access Management Program that was not noted in the questions\n        above.\n\n                Comments: N/A\n\n\n Section 4: INCIDENT RESPONSE AND REPORTING\n\n\n4.1.    Has the organization established an incident response and reporting program that is\n        consistent with FISMA requirements, OMB policy, and applicable NIST guidelines?\n        Besides the improvement opportunities that may have been identified by the OIG,\n        does the program include the following attributes?\n\n        FY2013 Conclusion: Yes\n\n        4.1.1. Documented policies and procedures for detecting, responding to and\n        reporting incidents (NIST SP 800-53: IR-1). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        4.1.2. Comprehensive analysis, validation and documentation of incidents. (KFM)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        4.1.3. When applicable, reports to US-CERT within established timeframes (NIST\n               SP 800-53, 800-61; OMB M-07-16, M-06-19). (KFM)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        4.1.4. When applicable, reports to law enforcement within established timeframes\n               (SP 800-61). (KFM)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted the incident reporting policy included information about\n                reporting of incidents to law enforcement including but not limited to the OIG,\n                Federal Protective Services and local law enforcement; however, the policy did\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-8\n\x0c                not specify the established timeframes in which incidents should be reported to\n                law enforcement.\n\n        4.1.5. Responds to and resolves incidents in a timely manner, as specified in\n               organization policy or standards, to minimize further damage (NIST SP 800-\n               53, 800-61; OMB M-07-16, M-06-19). (KFM)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted that the SSA incident response procedures did not provide\n                guidance or directives associated with establishing timeframes in which incidents\n                should be resolved.\n\n        4.1.6. Is capable of tracking and managing risks in a virtual/cloud environment, if\n               applicable. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        4.1.7. Is capable of correlating incidents. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        4.1.8. Has sufficient incident monitoring and detection coverage in accordance with\n               government policies (NIST SP 800-53, 800-61; OMB M-07-16, M-06-19).\n               (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n4.2.    Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\n        Incident Management Program that was not noted in the questions above.\n\n                Comments: N/A\n\n\n Section 5: RISK MANAGEMENT\n\n\n5.1.    Has the organization established a risk management program that is consistent with\n        FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the\n        improvement opportunities that may have been identified by the OIG, does the\n        program include the following attributes?\n\n        FY2013 Conclusion: Yes\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-9\n\x0c        5.1.1. Documented policies and procedures for risk management, including\n               descriptions of the roles and responsibilities of participants in this process.\n               (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        5.1.2. Addresses risk from an organization perspective with the development of a\n               comprehensive governance structure and organization-wide risk\n               management strategy as described in NIST 800-37, Rev.1. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted that SSA had a comprehensive governance structure and\n                organization-wide risk management strategy. However, we noted instances where\n                off-site locations did not consistently apply SSA guidance such as requirements\n                within the Program Operations Manual System.\n\n        5.1.3. Addresses risk from a mission and business process perspective and is guided\n               by the risk decisions from an organizational perspective, as described in\n               NIST SP 800-37, Rev.1. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        5.1.4. Addresses risk from an information system perspective and is guided by the\n               risk decisions from an organizational perspective and the mission and\n               business perspective, as described in NIST 800-37, Rev. 1. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        5.1.5. Has an up-to-date system inventory. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        5.1.6. Categorizes information systems in accordance with government policies.\n               (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        5.1.7. Selects an appropriately tailored set of baseline security controls. (Base)\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-10\n\x0c                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        5.1.8. Implements the tailored set of baseline security controls and describes how\n               the controls are employed within the information system and its environment\n               of operation. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        5.1.9. Assesses the security controls using appropriate assessment procedures to\n               determine the extent to which the controls are implemented correctly,\n               operating as intended, and producing the desired outcome with respect to\n               meeting the security requirements for the system. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        5.1.10. Authorizes information system operation based on a determination of the\n                risk to organizational operations and assets, individuals, other organizations,\n                and the Nation resulting from the operation of the information system and\n                the decision that this risk is acceptable. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        5.1.11. Ensures information security controls are monitored on an ongoing basis,\n                including assessing control effectiveness, documenting changes to the system\n                or its environment of operation, conducting security impact analyses of the\n                associated changes, and reporting the security state of the system to\n                designated organizational officials. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted that SSA continued to enhance automated continuous\n                monitoring reporting capabilities in FY 2013. Per SSA\xe2\x80\x99s continuous monitoring\n                strategy, successful implementation of the SSA continuous monitoring strategy\n                will require a sustained effort contingent upon the availability of funding and\n                support from Agency components.\n\n        5.1.12. Information-system-specific risks (tactical), mission/business-specific risks\n                and organizational-level (strategic) risks are communicated to appropriate\n                levels of the organization. (Base)\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-11\n\x0c                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        5.1.13. Senior officials are briefed on threat activity on a regular basis by\n                appropriate personnel (e.g., CISO). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        5.1.14. Prescribes the active involvement of information system owners and common\n                control providers, chief information officers, senior information security\n                officers, authorizing officials, and other roles as applicable in the ongoing\n                management of information-system-related security risks. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        5.1.15. Security authorization package contains system security plan, security\n                assessment report, and POA&M in accordance with government policies\n                (NIST SP 800-18, 800-37). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        5.1.16. Security authorization package contains accreditation boundaries, defined in\n                accordance with government policies, for organization information systems.\n                (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n5.2.    Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\n        Risk Management Program that was not noted in the questions above.\n\n                Comments: N/A\n\n\n Section 6: SECURITY TRAINING\n\n\n6.1.    Has the organization established a security training program that is consistent with\n        FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the\n        improvement opportunities that may have been identified by the OIG, does the\n        program include the following attributes?\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-12\n\x0c        FY2013 Conclusion: Yes\n\n        6.1.1. Documented policies and procedures for security awareness training (NIST\n               SP 800-53: AT-1). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        6.1.2. Documented policies and procedures for specialized training for users with\n               significant information security responsibilities. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        6.1.3. Security training content based on the organization and roles, as specified in\n               organization policy or standards. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        6.1.4. Identification and tracking of the status of security awareness training for all\n               personnel (including employees, contractors, and other organization users)\n               with access privileges that require security awareness training. (KFM)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted that SSA did not have an authoritative source / system(s)\n                that identified and managed all contractors. Therefore, we were not able to gain\n                reasonable assurance that the contractor population was complete. Without a\n                complete population, the Agency may not be able to identify and track all\n                contractors that require security awareness training. In addition, we noted that\n                security training was not completed in a timely fashion for all employees and\n                contractors (those that we were able to assess) or evidence to support completion\n                of security training was not provided.\n\n        6.1.5. Identification and tracking of the status of specialized training for all\n               personnel (including employees, contractors, and other organization users)\n               with significant information security responsibilities that require specialized\n               training. (KFM)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-13\n\x0c        6.1.6. Training material for security awareness training contains appropriate\n               content for the organization (NIST SP 800-50, 800-53). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n6.2.    Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\n        Security Training Program that was not noted in the questions above.\n\n                Comments: N/A\n\n\n Section 7: PLAN OF ACTION & MILESTONES (POA&M)\n\n\n7.1.    Has the organization established a POA&M program that is consistent with FISMA\n        requirements, OMB policy, and applicable NIST guidelines and tracks and\n        monitors known information security weaknesses? Besides the improvement\n        opportunities that may have been identified by the OIG, does the program include\n        the following attributes?\n\n        FY2013 Conclusion: Yes\n\n        7.1.1. Documented policies and procedures for managing IT security weaknesses\n               discovered during security control assessments and that require remediation.\n               (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted that although key activities associated with tracking and\n                monitoring IT security weaknesses were being performed, Management had not\n                fully documented a comprehensive policy and procedures covering all of the\n                Agency\xe2\x80\x99s processes. Current policies and procedures associated with tracking of\n                IT weaknesses, including the POA&M process, did not encompass the multiple\n                tools and methods used by Management.\n\n        7.1.2. Tracks, prioritizes and remediates weaknesses. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted instances where Information Technology security\n                weaknesses were inadvertently \xe2\x80\x9cclosed\xe2\x80\x9d within the Agency\xe2\x80\x99s tracking tool even\n                though they remained open. It was noted that these items were subsequently\n                corrected by Management.\n\n        7.1.3. Ensures remediation plans are effective for correcting weaknesses. (Base)\n\n                FY2013 Conclusion: Yes\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-14\n\x0c                Comments: N/A\n\n        7.1.4. Establishes and adheres to milestone remediation dates. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        7.1.5. Ensures resources and ownership are provided for correcting weaknesses.\n               (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        7.1.6. POA&Ms include security weaknesses discovered during assessments of\n               security controls and that require remediation (do not need to include\n               security weakness due to a risk-based decision to not implement a security\n               control) (OMB M-04-25). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted instances where Information Technology (IT) security\n                weaknesses were inadvertently \xe2\x80\x9cclosed\xe2\x80\x9d within the Agency\xe2\x80\x99s tracking tool even\n                though they remained open. It was noted that these items were subsequently\n                corrected by Management.\n\n        7.1.7. Costs associated with remediating weaknesses are identified (NIST SP 800-\n               53, Rev. 3, Control PM-3; OMB M-04-25). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        7.1.8. Program officials report progress on remediation to CIO on a regular basis,\n               at least quarterly, and the CIO centrally tracks, maintains, and\n               independently reviews/validates the POA&M activities at least quarterly\n               (NIST SP 800-53, Rev. 3, Control CA-5; OMB M-04-25). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n7.2.    Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\n        POA&M Program that was not noted in the questions above.\n\n                Comments: N/A\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-15\n\x0c Section 8: REMOTE ACCESS MANAGEMENT\n\n\n8.1.    Has the organization established a remote access program that is consistent with\n        FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the\n        improvement opportunities that may have been identified by the OIG, does the\n        program include the following attributes?\n\n        FY2013 Conclusion: Yes\n\n        8.1.1. Documented policies and procedures for authorizing, monitoring, and\n               controlling all methods of remote access (NIST SP 800-53: AC-1, AC-17).\n               (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        8.1.2. Protects against unauthorized connections or subversion of authorized\n               connections. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        8.1.3. Users are uniquely identified and authenticated for all access (NIST SP 800-\n               46, Section 4.2, Section 5.1). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        8.1.4. Telecommuting policy is fully developed (NIST SP 800-46, Section 5.1).\n               (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted that SSA\xe2\x80\x99s revised telework policy was in draft form\n                pending resolution of administrative matters.\n\n        8.1.5. If applicable, multi-factor authentication is required for remote access (NIST\n               SP 800-46, Section 2.2, Section 3.3). (KFM)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-16\n\x0c        8.1.6. Authentication mechanisms meet NIST SP 800-63 guidance on remote\n               electronic authentication, including strength mechanisms. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        8.1.7. Defines and implements encryption requirements for information\n               transmitted across public networks. (KFM)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        8.1.8. Remote access sessions, in accordance with OMB M-07-16, are timed-out\n               after 30 minutes of inactivity, after which re-authentication is required.\n               (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        8.1.9. Lost or stolen devices are disabled and appropriately reported (NIST SP 800-\n               46, Section 4.3; US-CERT Incident Reporting Guidelines). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        8.1.10. Remote access rules of behavior are adequate in accordance with\n                government policies (NIST SP 800-53, PL-4). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        8.1.11. Remote-access user agreements are adequate in accordance with government\n                policies (NIST SP 800-46, Section 5.1; NIST SP 800-53, PS-6). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n8.2.    Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\n        Remote Access Management that was not noted in the questions above.\n\n                Comments: N/A\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-17\n\x0c8.3.    Does the organization have a policy to detect and remove unauthorized (rogue)\n        connections?\n\n                FY 2013 Conclusion: Yes\n\n                Comments: N/A\n\n\n Section 9: CONTINGENCY PLANNING\n\n\n9.1.    Has the organization established an enterprise-wide business continuity/disaster\n        recovery program that is consistent with FISMA requirements, OMB policy, and\n        applicable NIST guidelines? Besides the improvement opportunities that may have\n        been identified by the OIG, does the program include the following attributes?\n\n        FY2013 Conclusion: Yes\n\n        9.1.1. Documented business continuity and disaster recovery policy providing the\n               authority and guidance necessary to reduce the impact of a disruptive event\n               or disaster (NIST SP 800-53: CP-1). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        9.1.2. The organization has incorporated the results of its system\xe2\x80\x99s Business Impact\n               Analysis (BIA) into the analysis and strategy development efforts for the\n               organization\xe2\x80\x99s Continuity of Operations Plan (COOP), Business Continuity\n               Plan (BCP), and Disaster Recovery Plan (DRP) (NIST SP 800-34). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        9.1.3. Development and documentation of division, component, and IT\n               infrastructure recovery strategies, plans and procedures (NIST SP 800-34).\n               (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        9.1.4. Testing of system specific contingency plans. (Base)\n\n                FY2013 Conclusion: Yes\n\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-18\n\x0c                Comments: We noted that SSA tested the majority of, but not all, major\n                applications and/or general support systems as part of the disaster recovery\n                exercise.\n\n        9.1.5. The documented BCP and DRP are in place and can be implemented when\n               necessary (FCD1, NIST SP 800-34). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        9.1.6. Development of test, training, and exercise (TT&E) programs (FCD1, NIST\n               SP 800-34, NIST SP 800-53). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        9.1.7. Testing or exercising of BCP and DRP to determine effectiveness and to\n               maintain current plans. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        9.1.8. After-action report that addresses issues identified during\n               contingency/disaster recovery exercises (FCD1, NIST SP 800-34). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        9.1.9. Systems that have alternate processing sites (FCD1, NIST SP 800-34, NIST\n               SP 800-53). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        9.1.10. Alternate processing sites are not subject to the same risks as primary sites\n                (FCD1, NIST SP 800-34, NIST SP 800-53).\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-19\n\x0c        9.1.11. Backups of information that are performed in a timely manner (FCD1, NIST\n                SP 800-34, NIST SP 800-53). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        9.1.12. Contingency planning that consider supply chain threats. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n9.2.    Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\n        Contingency Planning Program that was not noted in the questions above.\n\n                Comments: N/A\n\n\n Section 10: CONTRACTOR SYSTEMS\n\n\n10.1.   Has the organization established a program to oversee systems operated on its\n        behalf by contractors or other entities, including organization systems and services\n        residing in the cloud external to the organization? Besides the improvement\n        opportunities that may have been identified by the OIG, does the program include\n        the following attributes?\n\n        FY2013 Conclusion: Yes\n\n        10.1.1. Documented policies and procedures for information security oversight of\n                systems operated on the organization\xe2\x80\x99s behalf by contractors or other\n                entities, including organization systems and services residing in a public\n                cloud. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        10.1.2. The organization obtains sufficient assurance that security controls of such\n                systems and services are effectively implemented and comply with Federal\n                and organization guidelines (NIST SP 800-53: CA-2). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted that while SSA management assessed the system security\n                plan and planned for an independent assessment of controls for a contractor\n                system, the assessment had not been executed prior to operation of the system.\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-20\n\x0c        10.1.3. A complete inventory of systems operated on the organization's behalf by\n                contractors or other entities, including organization systems and services\n                residing in a public cloud. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: We noted that the SSA contractor systems inventory did not include\n                a service operated by a vendor. We noted that SSA had obtained a security\n                controls assessment of this service.\n\n        10.1.4. The inventory identifies interfaces between these systems and organization-\n                operated systems (NIST SP 800-53: PM-5). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        10.1.5. The organization requires appropriate agreements (e.g., MOUs,\n                Interconnection Security Agreements, contracts, etc.) for interfaces between\n                these systems and those that it owns and operates. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        10.1.6. The inventory of contractor systems is updated at least annually. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        10.1.7. Systems that are owned or operated by contractors or entities, including\n                organization systems and services residing in public cloud, are compliant\n                with FISMA requirements, OMB policy, and applicable NIST guidelines.\n                (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n10.2.   Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s\n        Contractor Systems Program that was not noted in the questions above.\n\n                Comments: N/A\n\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-21\n\x0c Section 11: SECURITY CAPITAL PLANNING\n\n\n11.1.   Has the organization established a security capital planning and investment\n        program for information security? Besides the improvement opportunities that may\n        have been identified by the OIG, does the program include the following attributes?\n\n        FY2013 Conclusion: Yes\n\n        11.1.1. Documented policies and procedures to address information security in the\n                capital planning and investment control (CPIC) process. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        11.1.2. Includes information security requirements as part of the capital planning\n                and investment process. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        11.1.3. Establishes a discrete line item for information security in organizational\n                programming and documentation (NIST SP 800-53: SA-2). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        11.1.4. Employs a business case/Exhibit 300/Exhibit 53 to record the information\n                security resources required (NIST SP 800-53: PM-3). (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n        11.1.5. Ensures that information security resources are available for expenditure as\n                planned. (Base)\n\n                FY2013 Conclusion: Yes\n\n                Comments: N/A\n\n11.2.   Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\n        Security Capital Planning Program that was not noted in the questions above.\n\n                Comments: N/A\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   B-22\n\x0cAppendix C \xe2\x80\x93 THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n             GENERAL SUPPORT SYSTEMS AND MAJOR\n             APPLICATIONS\n                                           System                                                 Acronym\n                                                                1\n                               General Support Systems\n    1                             Audit Trail System                                                ATS\n    2                    Comprehensive Integrity Review Process                                     CIRP\n    3                    Death Alert Control and Update System                                     DACUS\n    4                          Debt Management System                                               DMS\n    5           Enterprise Wide Mainframe & Distributed Network                                    EWANS\n                    Telecommunications Services and System\n     6                      FALCON Data Entry System                                              FALCON\n     7            Human Resources Management Information System                                    HRMIS\n     8                   Integrated Client Database System                                          ICDB\n     9               Integrated Disability Management System                                        IDMS\n    10                             Quality System                                                    QA\n    11              Security Management Access Control System                                      SMACS\n    12           Social Security Online Accounting & Reporting System                             SSOARS\n    13                Social Security Unified Measurement System                                    SUMS\n                                  Major Applications 2\n    1                        Electronic Disability System                                         eDib\n    2                   Earnings Record Maintenance System                                       ERMS\n    3              National Investigative Case Management System                                 NICMS\n    4       Recovery of Overpayments, Accounting and Reporting System                            ROAR\n    5       Retirement, Survivors, Disability Insurance Accounting System                     RSDI ACCTNG\n    6        Supplemental Security Income Record Maintenance System                             SSIRMS\n    7       Social Security Number Establishment and Correction System                          SSNECS\n    8                                   Title II                                                   T2\n\n\n\n\n1\n  Office of Management and Budget Circular A-130, Appendix III, Security of Federal Automated Information\nResources, Section A.2.c, defines a \xe2\x80\x9cgeneral support system\xe2\x80\x9d or \xe2\x80\x9csystem\xe2\x80\x9d as an interconnected set of information\nresources under the same direct management control which shares common functionality.\n2\n Office of Management and Budget Circular A-130, Appendix III, Security of Federal Automated Information\nResources, Section A.2.d, defines a \xe2\x80\x9cmajor application\xe2\x80\x9d as an application that requires special attention to security\ndue to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification\nof the information in the application.\n\n\n\nSSA\xe2\x80\x99s Compliance with FISMA for FY 2013 (A-14-13-13086)                                                            C-1\n\x0cAppendix D \xe2\x80\x93 METRICS DEFINED\n\xe2\x80\xa2   Continuous Monitoring Management - Continuous Monitoring maintains ongoing\n    awareness of information security, vulnerabilities, and threats to support organizational risk\n    management decisions.\n\n\xe2\x80\xa2   Configuration Management - From a security point of view, Configuration Management\n    provides assurance that the system in operation is the correct version (configuration) of the\n    system and that any changes to be made are reviewed for security implications.\n\n\xe2\x80\xa2   Identify and Access Management - Identity and Access Management includes policies to\n    control user access to information system objects, including devices, programs, and files.\n\n\xe2\x80\xa2   Incident Response and Reporting - According to the National Institute of Standards and\n    Technology (NIST), Special Publication (SP) 800-12, the two main benefits of an incident-\n    handling capability are (1) containing and repairing damage from incidents and\n    (2) preventing future damage.\n\n\xe2\x80\xa2   Risk Management \xe2\x80\x93 \xe2\x80\x9cRisk Management is the process of managing risks to organizational\n    operations (including mission, functions, image, reputation), organizational assets,\n    individuals, other organizations, and the Nation, resulting from the operation of an\n    information system, and includes: (i) the conduct of a risk assessment; (ii) the\n    implementation of a risk mitigation strategy; and (iii) employment of techniques and\n    procedures for the continuous monitoring of the security state of the information system.\xe2\x80\x9d\n    NIST Special Publication 800-53, Rev. 3, page B-11.\n\n\xe2\x80\xa2   Security Training - According to FISMA, Title III of the E-Government Act of 2002\n    (Pub. L. No. 107-347, December 17, 2002) an agency wide information security program for\n    a Federal agency must include security awareness training. This training must cover\n    (1) information security risks associated with users\xe2\x80\x99 activities and (2) users\xe2\x80\x99 responsibilities\n    in complying with agency policies and procedures designed to reduce these risks.\n\n\xe2\x80\xa2   Plan of Action and Milestones (POA&M) \xe2\x80\x93 According to OMB M-14-04, \xe2\x80\x9cPlan of Action\n    and Milestone (POA&M) (defined in OMB Memorandum M-02-01), A POA&M, also\n    referred to as a corrective action plan, is a tool that identifies tasks that need to be\n    accomplished. It details resources required to accomplish the elements of the plan, any\n    milestones in meeting the task, and scheduled completion dates for the milestones. The\n    purpose of the POA&M is to assist agencies in identifying, assessing, prioritizing, and\n    monitoring the progress of corrective efforts for security weaknesses found in programs and\n    systems.\xe2\x80\x9d\n\n\xe2\x80\xa2   Remote Access Management - Refers to controls associated with remote access to the\n    information systems from virtually any remote location.\n\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   D-1\n\x0c\xe2\x80\xa2   Contingency Planning - Processes and controls to mitigate risks associated with\n    interruptions (losing capacity to process, retrieve, and protect electronically maintained\n    information) that may result in lost or incorrectly processed data.\n\n\xe2\x80\xa2   Contractor Systems - Agencies are responsible for ensuring that appropriate security\n    controls are in place over contractor systems used or operated by contractors or other entities\n    (such as other Federal or state agencies) on behalf of an agency.\n\n\xe2\x80\xa2   Security Capital Planning \xe2\x80\x93 According to OMB M-14-04, \xe2\x80\x9cCapital Planning and\n    Investment Control Process (as defined in OMB Circular A-130, (6)(C)) A management\n    process for ongoing identification, selection, control, and evaluation of investments in\n    information resources. The process links budget formulation and execution, and is focused\n    on agency missions and achieving specific program outcomes.\xe2\x80\x9d\n\n\n\n\nSSA\xe2\x80\x99s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013   D-2\n\x0cAppendix E \xe2\x80\x93 MAJOR CONTRIBUTORS\nEveka Rodriguez, Engagement Partner, Grant Thornton\n\nGreg Wallig, Electronic Data Processing Partner, Grant Thornton\n\nCal Bassford, Director, Grant Thornton\n\nJessica Saunders, Senior Associate, Grant Thornton\n\nOlga Mason, Senior Associate, Grant Thornton\n\nKevin Potter, Associate, Grant Thornton\n\n\n\n\nSSA\xe2\x80\x99s Compliance with FISMA for FY 2013 (A-14-13-13086)           E-1\n\x0c                                           MISSION\nBy conducting independent and objective audits, evaluations, and investigations, the Office of\nthe Inspector General (OIG) inspires public confidence in the integrity and security of the Social\nSecurity Administration\xe2\x80\x99s (SSA) programs and operations and protects them against fraud,\nwaste, and abuse. We provide timely, useful, and reliable information and advice to\nAdministration officials, Congress, and the public.\n\n\n                                   CONNECT WITH US\nThe OIG Website (http://oig.ssa.gov/) gives you access to a wealth of information about OIG.\nOn our Website, you can report fraud as well as find the following.\n   \xe2\x80\xa2   OIG news                                  In addition, we provide these avenues of\n   \xe2\x80\xa2   audit reports\n                                                 communication through our social media\n                                                 channels.\n   \xe2\x80\xa2   investigative summaries\n   \xe2\x80\xa2   Semiannual Reports to Congress                Watch us on YouTube\n   \xe2\x80\xa2   fraud advisories                              Like us on Facebook\n   \xe2\x80\xa2   press releases\n                                                     Follow us on Twitter\n   \xe2\x80\xa2   congressional testimony\n   \xe2\x80\xa2   an interactive blog, \xe2\x80\x9cBeyond The              Subscribe to our RSS feeds or email updates\n       Numbers\xe2\x80\x9d where we welcome your\n       comments\n\n\n                          OBTAIN COPIES OF AUDIT REPORTS\nTo obtain copies of our reports, visit our Website at http://oig.ssa.gov/audits-and-\ninvestigations/audit-reports/all. For notification of newly released reports, sign up for e-updates\nat http://oig.ssa.gov/e-updates.\n\n\n                          REPORT FRAUD, WASTE, AND ABUSE\nTo report fraud, waste, and abuse, contact the Office of the Inspector General via\n   Website:        http://oig.ssa.gov/report-fraud-waste-or-abuse\n   Mail:           Social Security Fraud Hotline\n                   P.O. Box 17785\n                   Baltimore, Maryland 21235\n   FAX:            410-597-0118\n   Telephone:      1-800-269-0271 from 10:00 a.m. to 4:00 p.m. Eastern Standard Time\n   TTY:            1-866-501-2101 for the deaf or hard of hearing\n\x0c"